forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathUseOfUnversionedImmutableAction.qll
More file actions
26 lines (23 loc) · 1 KB
/
UseOfUnversionedImmutableAction.qll
File metadata and controls
26 lines (23 loc) · 1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import actions
class UnversionedImmutableAction extends UsesStep {
UnversionedImmutableAction() {
isImmutableAction(this, _) and
not isSemVer(this.getVersion())
}
}
bindingset[version]
predicate isSemVer(string version) {
// https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
version
.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") or
// or N or N.x or N.N.x with optional v prefix
version.regexpMatch("^v?[1-9]\\d*$") or
version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") or
version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") or
// or latest which will work
version = "latest"
}
predicate isImmutableAction(UsesStep actionStep, string actionName) {
immutableActionsDataModel(actionName) and
actionStep.getCallee() = actionName
}